HIPAA and Safe Texting Practices

HIPAA and Safe Texting Practices

Telephones have been a staple of communication for as long as most of us can remember! The cell phone has noticeably changed the way we communicate both personally and increasingly professionally with the introduction of texting. In 2015, a Pew Research survey showed 84% of people in the United States text on a regular basis and that percentage jumps to 97% when those people own a smartphone. The number increases in 2019, with an estimated 81% of adults owning a smartphone, with texting as one of the most used available features.

Texting is an easy, quick, and effective method of communication and many employees want to continue to use it for communication, even while on the job. It's no wonder that new policies and procedures are being developed by organizations for the use of smartphones and texting at work.

The same goes for healthcare organizations. Communication in healthcare organizations has always been essential. This includes communication with other covered entities, between employees, and with patients. With updated communication and storage technology, such as texting, emailing, the implementation of EMR, and other electronic means for storing and transmitting protected health information (PHI), comes with increased risk and the need for more security standards. New regulations to meet this need were enacted in 2013 within the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA includes standards that require covered entities to create and implement policies and procedures that restrict access to, protect the integrity of, and guard against unauthorized access to PHI. Specifically, the standard for transmission security includes addressable specifications for integrity controls and encryption. The Security Rule allows for e-PHI to be sent electronically as long as it is sufficiently protected.

Is Texting Permitted Under HIPAA?

HIPAA does not specifically prohibit text messaging, but it does require reasonable safeguards to be in place just like any other electronic method of communication. Implementing these safeguards is an addressable specification. An addressable specification doesn't mean you can set it aside and take care of it later. It means that as a covered entity you are required to assess your use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution that works best for your organization, and document the decision.

What Are Safe Texting Practices?

Text messages are generally not secure because during transmission they lack encryption, the messages may be stored by the wireless carrier for some time, and it's not always possible to confirm that the intended recipient received the message. As e-PHI needs to be protected in all stages of transmission, whether it is at rest or in transit, an organization is responsible for determining the best way of protecting it. For example, after conducting a risk analysis, your organization may approve texting if you find that the risks are low, and you have appropriate safeguards.

A secure third-party messaging app can allow texting while still protecting PHI:

  • After downloading a secure messaging app on a mobile phone or desktop, each employee would log in with a unique user name and PIN code.
  • The app then allows employees to connect with the designated network and send and receive secure messages; including patient files, images, and lab results.
  • Secure messaging apps have the same benefits as texting; sending messages is fast, easy, and convenient.
  • One final consideration for safe texting, even on a secure platform, should be limiting the amount of information disclosed to the minimum necessary for the intended purposes.

If your organization would like to or already does allow texting as part of your business practices, (e.g., PHI disclosures among staff or communication with patients) it is imperative that you assess the risk and develop policies and procedures that will protect the information transmitted through text messages. If you have questions about secure texting practices or need assistance obtaining a sample BYOD or patient acknowledgment form, we can help. Feel free to contact us by email: support@hcp.md or by phone: 855-427-0427.